Last updated: February 16, 2026

GDPR Compliance

Conteqx is committed to protecting the privacy and data rights of individuals in the European Economic Area (EEA). This page outlines our compliance with the General Data Protection Regulation (GDPR).

Our Commitment

As a data controller and data processor, Conteqx adheres to the principles of the GDPR. We process personal data lawfully, fairly, and transparently. We collect only the data necessary for providing our service and retain it only for as long as required.

Data minimization by design
Privacy by default
Encrypted data storage
Regular compliance audits
Data Protection Officer appointed
Lawful basis for all processing
72-hour breach notification
Cross-border transfer safeguards

Legal Bases for Processing

We process personal data under the following legal bases:

Contract

Processing necessary to provide the Conteqx service as agreed in our Terms of Service.

Legitimate Interest

Processing necessary for our legitimate interests, such as improving our service and ensuring security.

Consent

Processing based on your explicit consent, such as marketing communications.

Legal Obligation

Processing necessary to comply with applicable laws and regulations.

Your Rights Under GDPR

Right to Access

You can request a copy of all personal data we hold about you. We will provide this within 30 days of your request.

Right to Rectification

If any of your personal data is inaccurate or incomplete, you can request that we correct it.

Right to Erasure

You can request the deletion of your personal data. We will erase your data within 30 days, except where we have a legal obligation to retain it.

Right to Data Portability

You can request your data in a structured, commonly used, machine-readable format (JSON or CSV).

Right to Restrict Processing

You can request that we limit the processing of your personal data in certain circumstances.

Right to Object

You can object to the processing of your personal data for specific purposes, including direct marketing.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw your consent at any time without affecting the lawfulness of prior processing.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your country of residence if you believe your data rights have been violated.

Data Processing Activities

We maintain a Record of Processing Activities (ROPA) as required by Article 30 of the GDPR. Our key processing activities include:

  • User account management and authentication (via Clerk)
  • API key encryption and secure storage
  • Processing AI chat requests on behalf of users
  • Payment processing (via Stripe)
  • Anonymized analytics for service improvement

International Data Transfers

When transferring personal data outside the EEA, we ensure adequate safeguards are in place through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • EU-U.S. Data Privacy Framework certifications where applicable
  • Data Processing Agreements with all sub-processors

Sub-Processors

We use the following sub-processors to provide our service:

ProviderPurposeLocation
ClerkAuthenticationUnited States
StripePayment processingUnited States
SupabaseDatabase & storageUnited States
VercelHosting & CDNGlobal

Data Breach Response

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay when the breach poses a high risk
  • Document the breach, its effects, and the remedial actions taken

Contact Our DPO

To exercise your rights or for any GDPR-related inquiries, please contact our Data Protection Officer: